XADM: Advanced Security Revocation Not Immediate

• Microsoft Exchange Server, versions 4.0, 5.0, 5.5

SUMMARY

When advanced security is revoked for a Microsoft Exchange user, the effect of this on the user's ability to send sealed or signed messages is not immediate.

It can take up to 24 hours for all clients to become aware that advanced security was revoked for the user.

MORE INFORMATION

When advanced security is revoked for a user, that user's certificate is added to the certificate revocation list (CRL). For performance reasons and to enable offline use, the CRL is cached on the client computer and expires every 24 hours. Therefore, it could take up to 24 hours for the clients to become aware of the CRL change.

After clients are aware of the change to the CRL, they will not allow Signed or sealed messages to be sent to the user in question. The user in question also will not be able to send signed or sealed messages.

If a user certificate has been compromised, it is recommended that the Microsoft Exchange Administrator disable and then re-enable advanced security for the user in question. This will generate a new token that should be given to the user.

If an Administrator wants to remove security from a user permanently, for example when an employee has left the company on bad terms, it may be better to delete the mailbox.

Keywords          : XADM kbusage
Version           : WINDOWS:4.0,5.0,5.5
Platform          : WINDOWS
Issue type        : kbinfo